Olaf Kirch - Linux Network Administrator Guide, Second Edition

# ipchains -C forward -p tcp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0

accepted

Note the arguments had to be supplied and the way they've been used to describe a datagram. The output of the command indicates that that the datagram was accepted for forwarding, which is what we hoped for.

Now try another test, this time with a source address that doesn't belong to our network. This one should be denied:

# ipchains -C forward -p tcp -s 172.16.2.0 1025 -d 44.136.8.2 80 -i eth0

denied

Try some more tests, this time with the same details as the first test, but with different protocols. These should be denied, too:

# ipchains -C forward -p udp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0

denied

# ipchains -C forward -p icmp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0

denied

Try another destination port, again expecting it to be denied:

# ipchains -C forward -p tcp -s 172.16.1.0 1025 -d 44.136.8.2 23 -i eth0

denied

You'll go a long way toward achieving peace of mind if you design a series of exhaustive tests. While this can sometimes be as difficult as designing the firewall configuration, it's also the best way of knowing that your design is providing the security you expect of it.

We've discussed the fundamentals of firewall configuration. Let's now look at what a firewall configuration might actually look like.

The configuration in this example has been designed to be easily extended and customized. We've provided three versions. The first version is implemented using the ipfwadm command (or the ipfwadm-wrapper script), the second uses ipchains, and the third uses iptables. The example doesn't attempt to exploit user-defined chains, but it will show you the similarities and differences between the old and new firewall configuration tool syntaxes:

#!/bin/bash

##########################################################################

# IPFWADM VERSION

# This sample configuration is for a single host firewall configuration

# with no services supported by the firewall machine itself.

##########################################################################

# USER CONFIGURABLE SECTION

# The name and location of the ipfwadm utility. Use ipfwadm-wrapper for

# 2.2.* kernels.

IPFWADM=ipfwadm

# The path to the ipfwadm executable.

PATH="/sbin"

# Our internal network address space and its supporting network device.

OURNET="172.29.16.0/24"

OURBCAST="172.29.16.255"

OURDEV="eth0"

# The outside address and the network device that supports it.

ANYADDR="0/0"

ANYDEV="eth1"

# The TCP services we wish to allow to pass - "" empty means all ports

# note: space separated

TCPIN="smtp www"

TCPOUT="smtp www ftp ftp-data irc"

# The UDP services we wish to allow to pass - "" empty means all ports

# note: space separated

UDPIN="domain"

UDPOUT="domain"

# The ICMP services we wish to allow to pass - "" empty means all types

# ref: /usr/include/netinet/ip_icmp.h for type numbers

# note: space separated

ICMPIN="0 3 11"

ICMPOUT="8 3 11"

# Logging; uncomment the following line to enable logging of datagrams

# that are blocked by the firewall.

# LOGGING=1

# END USER CONFIGURABLE SECTION

###########################################################################

# Flush the Incoming table rules

$IPFWADM -I -f

# We want to deny incoming access by default.

$IPFWADM -I -p deny

# SPOOFING

# We should not accept any datagrams with a source address matching ours

# from the outside, so we deny them.

$IPFWADM -I -a deny -S $OURNET -W $ANYDEV

# SMURF

# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.

$IPFWADM -I -a deny -P icmp -W $ANYDEV -D $OURBCAST

# TCP

# We will accept all TCP datagrams belonging to an existing connection

# (i.e. having the ACK bit set) for the TCP ports we're allowing through.

# This should catch more than 95 % of all valid TCP packets.

$IPFWADM -I -a accept -P tcp -D $OURNET $TCPIN -k -b

# TCP - INCOMING CONNECTIONS

# We will accept connection requests from the outside only on the

# allowed TCP ports.

$IPFWADM -I -a accept -P tcp -W $ANYDEV -D $OURNET $TCPIN -y

# TCP - OUTGOING CONNECTIONS

# We accept all outgoing tcp connection requests on allowed TCP ports.

$IPFWADM -I -a accept -P tcp -W $OURDEV -D $ANYADDR $TCPOUT -y

# UDP - INCOMING

# We will allow UDP datagrams in on the allowed ports.

$IPFWADM -I -a accept -P udp -W $ANYDEV -D $OURNET $UDPIN

# UDP - OUTGOING

# We will allow UDP datagrams out on the allowed ports.

$IPFWADM -I -a accept -P udp -W $OURDEV -D $ANYADDR $UDPOUT

# ICMP - INCOMING

# We will allow ICMP datagrams in of the allowed types.

$IPFWADM -I -a accept -P icmp -W $ANYDEV -D $OURNET $UDPIN

# ICMP - OUTGOING

# We will allow ICMP datagrams out of the allowed types.

$IPFWADM -I -a accept -P icmp -W $OURDEV -D $ANYADDR $UDPOUT

# DEFAULT and LOGGING

# All remaining datagrams fall through to the default

# rule and are dropped. They will be logged if you've

# configured the LOGGING variable above.

#

if [ "$LOGGING" ]

then

# Log barred TCP

$IPFWADM -I -a reject -P tcp -o

# Log barred UDP

$IPFWADM -I -a reject -P udp -o

# Log barred ICMP

$IPFWADM -I -a reject -P icmp -o

fi

#

# end.

Now we'll reimplement it using the ipchains command:

#!/bin/bash

##########################################################################

# IPCHAINS VERSION

# This sample configuration is for a single host firewall configuration

# with no services supported by the firewall machine itself.

##########################################################################

# USER CONFIGURABLE SECTION

# The name and location of the ipchains utility.

IPCHAINS=ipchains

# The path to the ipchains executable.

PATH="/sbin"

# Our internal network address space and its supporting network device.

OURNET="172.29.16.0/24"

OURBCAST="172.29.16.255"